Hay 9 niveles donde nos proporcionan una introducción y el código fuente del servicio a atacar. Todo el código que nos proporcionan lo he subido a https://github.com/dalvarezsNivel 0Welcome to Capture the Flag! If you find yourself stuck or want to learn more about web security in general, we've prepared a list of helpful resources for you. You can chat with fellow solvers in the CTF chatroom (also accessible in your favorite IRC client at irc://irc.stripe.com:+6697/ctf).We'll start you out with Level 0, the Secret Safe. The Secret Safe is designed as a secure place to store all of your secrets. It turns out that the password to access Level 1 is stored within the Secret Safe. If only you knew how to crack safes...You can access the Secret Safe at https://level00-1.stripe-ctf.com/user-czemoskhjv. The Safe's code is included below, and can also be obtained via git clone https://level00-1.stripe-ctf.com/user-czemoskhjv/level00-code.Revisando el código en ruby rápidamente se ve que la vulnerabilidad es una inyección de código SQL en una sentencia con LIKE.El código vulnerable en el fichero level00.js es:

Enviando el carácter % en el parámetro namespace se obtienen todos los valores almacenados, obteniendo el password MTNzeALlbv.Nivel 1Excellent, you are now on Level 1, the Guessing Game. All you have to do is guess the combination correctly, and you'll be given the password to access Level 2! We've been assured that this level has no security vulnerabilities in it (and the machine running the Guessing Game has no outbound network connectivity, meaning you wouldn't be able to extract the password anyway), so you'll probably just have to try all the possible combinations. Or will you...?You can play the Guessing Game at https://level01-2.stripe-ctf.com/user-fidecfsyim. The code for the Game can be obtained from git clone https://level01-2.stripe-ctf.com/user-fidecfsyim/level01-code, and is also included below.La aplicación espera en el parámetro attempt la contraseña, sin embargo, leyendo el código (esta vez en php) te das cuenta de que es posible enviar un parámetro con el nombre de la variable filename que será el utilizado por el codigo php, en vez de 'secret-combination.txt'. De esta forma podemos controlar la condición “if ($attempt === $combination)” obteniendo el password EzErXetuTd.

Recargando la web se obtiene el password ZZFMsfXAhg. Este nivel empezaba a ser más divertido!Nivel 4The Karma Trader is the world's best way to reward people for good deeds: https://level04-4.stripe-ctf.com/user-lkfvmdujam. You can sign up for an account, and start transferring karma to people who you think are doing good in the world. In order to ensure you're transferring karma only to good people, transferring karma to a user will also reveal your password to him or her.The very active user karma_fountain has infinite karma, making it a ripe account to obtain (no one will notice a few extra karma trades here and there). The password for karma_fountain's account will give you access to Level 5.You can obtain the full, runnable source for the Karma Trader from git clone https://level04-4.stripe-ctf.com/user-lkfvmdujam/level04-code. We've included the most important files below.Por la descripción, el objetivo está claro: conseguir que el usuario karma_fountain nos transfiera crédito para que nos muestre su contraseña. En el código se puede ver cómo se realizan las transferencias:

Many attempts have been made at creating a federated identity system for the web (see OpenID, for example). However, none of them have been successful. Until today.The DomainAuthenticator is based off a novel protocol for establishing identities. To authenticate to a site, you simply provide it username, password, and pingback URL. The site posts your credentials to the pingback URL, which returns either "AUTHENTICATED" or "DENIED". If "AUTHENTICATED", the site considers you signed in as a user for the pingback domain.You can check out the Stripe CTF DomainAuthenticator instance here: https://level05-1.stripe-ctf.com/user-ujgjbpdotv. We've been using it to distribute the password to access Level 6. If you could only somehow authenticate as a user of a level05 machine...To avoid nefarious exploits, the machine hosting the DomainAuthenticator has very locked down network access. It can only make outbound requests to other stripe-ctf.com servers. Though, you've heard that someone forgot to internally firewall off the high ports from the Level 2 server.Interesting in setting up your own DomainAuthenticator? You can grab the source from git clone https://level05-1.stripe-ctf.com/user-ujgjbpdotv/level05-code, or by reading on belowPor la introducción no se tiene muy claro que hay que hacer, revisando el código se extrae:Necesitamos que se cumpla la condición “if host =~ PASSWORD_HOSTS” para que nos muestre la contraseña:

user = session[:auth_user]
host = session[:auth_host]
if user && host
output += " You are authenticated as #{user}@#{host}.
"
if host =~ PASSWORD_HOSTS
output += " Since you're a user of a password host and all,"
output += " you deserve to know this password: #{PASSWORD}
"
end
end
# Run with the production file on the server
if File.exists?('production')
PASSWORD_HOSTS = /^level05-\d+\.stripe-ctf\.com$/
ALLOWED_HOSTS = /\.stripe-ctf\.com$/
elsePASSWORD_HOSTS = /^localhost$/
ALLOWED_HOSTS = //
end

After Karma Trader from Level 4 was hit with massive karma inflation (purportedly due to someone flooding the market with massive quantities of karma), the site had to close its doors. All hope was not lost, however, since the technology was acquired by a real up-and-comer, Streamer. Streamer is the self-proclaimed most steamlined way of sharing updates with your friends. You can access your Streamer instance here: https://level06-2.stripe-ctf.com/user-axbechwixyThe Streamer engineers, realizing that security holes had led to the demise of Karma Trader, have greatly beefed up the security of their application. Which is really too bad, because you've learned that the holder of the password to access Level 7, level07-password-holder, is the first Streamer user.As well, level07-password-holder is taking a lot of precautions: his or her computer has no network access besides the Streamer server itself, and his or her password is a complicated mess, including quotes and apostrophes and the like.Fortunately for you, the Streamer engineers have decided to open-source their application so that other people can run their own Streamer instances. You can obtain the source for Streamer at git clone https://level06-2.stripe-ctf.com/user-axbechwixy/level06-code. We've also included the most important files below.Tras leer la descripción, el objetivo está claro:

var post_data = [{"time":"Fri Aug 24 11:23:42 +0000 2012","title":"Hello World","user":"level07-password-holder","id":null,"body":"Welcome to Streamer, the most streamlined way of sharing\nupdates with your friends!\n\nOne great feature of Streamer is that no password resets are needed. I, for\nexample, have a very complicated password (including apostrophes, quotes, you\nname it!). But I remember it by clicking my name on the right-hand side and\nseeing what my password is.\n\nNote also that Streamer can run entirely within your corporate firewall. My\nmachine, for example, can only talk directly to the Streamer server itself!"}];

Cuando el usuario level07-password-holder se conecte obtendremos el password 'frHrvqmmtcXV".Nivel 7:Welcome to the penultimate level, Level 7.WaffleCopter is a new service delivering locally-sourced organic waffles hot off of vintage waffle irons straight to your location using quad-rotor GPS-enabled helicopters. The service is modeled after TacoCopter, an innovative and highly successful early contender in the airborne food delivery industry. WaffleCopter is currently being tested in private beta in select locations.Your goal is to order one of the decadent Liège Waffles, offered only to WaffleCopter's first premium subscribers.Log in to your account at https://level07-2.stripe-ctf.com/user-vnnjojikfr with username ctf and password password. You will find your API credentials after logging in. You can fetch the code for the level viagit clone https://level07-2.stripe-ctf.com/user-vnnjojikfr/level07-code, or you can read it below. You may find the sample API client in client.py particularly helpful.Revisando el código destaca:

Welcome to the final level, Level 8.HINT 1: No, really, we're not looking for a timing attack.HINT 2: Running the server locally is probably a good place to start. Anything interesting in the output?UPDATE: If you push the reset button for Level 8, you will be moved to a different Level 8 machine, and the value of your Flag will change. If you push the reset button on Level 2, you will be bounced to a new Level 2 machine, but the value of your Flag won't change.Because password theft has become such a rampant problem, a security firm has decided to create PasswordDB, a new and secure way of storing and validating passwords. You've recently learned that the Flag itself is protected in a PasswordDB instance, accesible at https://level08-2.stripe-ctf.com/user-veyrdiujkx/.PasswordDB exposes a simple JSON API. You just POST a payload of the form {"password": "password-to-check", "webhooks": ["mysite.com:3000", ...]} to PasswordDB, which will respond with a {"success": true}" or {"success": false}" to you and your specified webhook endpoints.(For example, try running curl https://level08-2.stripe-ctf.com/user-veyrdiujkx/ -d '{"password": "password-to-check", "webhooks": []}'.)In PasswordDB, the password is never stored in a single location or process, making it the bane of attackers' respective existences. Instead, the password is "chunked" across multiple processes, called "chunk servers". These may live on the same machine as the HTTP-accepting "primary server", or for added security may live on a different machine. PasswordDB comes with built-in security features such as timing attack prevention and protection against using unequitable amounts of CPU time (relative to other PasswordDB instances on the same machine).As a secure cherry on top, the machine hosting the primary server has very locked down network access. It can only make outbound requests to other stripe-ctf.com servers. As you learned in Level 5, someone forgot to internally firewall off the high ports from the Level 2 server. (It's almost like someone on the inside is helping you — there's an sshd running on the Level 2 server as well.)To maximize adoption, usability is also a goal of PasswordDB. Hence a launcher script, password_db_launcher, has been created for the express purpose of securing the Flag. It validates that your password looks like a valid Flag and automatically spins up 4 chunk servers and a primary server.You can obtain the code for PasswordDB from git clone https://level08-2.stripe-ctf.com/user-veyrdiujkx/level08-code, or simply read the source below.No fue rápido ver cuál era el objetivo, en este caso con el código que nos habían dado monté en local el servicio para hacer las pruebas. Cuando se realizaba una petición: